DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on

Extracting stored passwords and certificates from Automation accounts

*Test at your own risk

1.Use the Get-AzPasswords function to perform a dump of credentials for Automation accounts.

Get-AzPassword -AppServices N - StorageAccounts N - Keys N -ACR N -CosmosDB N -Verbose | out-GridView
Enter fullscreen mode Exit fullscreen mode

2.When prompted to select an Azure subscription, select your test Azure subscription and click OK.
Image description

3.In the resulting output, you should see credentials that were dumped from the Automation account.
Image description

4.Open the current path in File explorer using the following command

explorer .
Enter fullscreen mode Exit fullscreen mode

5.Note that there are now two new files in the directory where the command was run from
Image description

6.For POC, run the AuthenticateAs-automation-acct-AzureRunAsConnection.ps1 script to login as the RunAs account.
Image description

7.Use the following command to confirm the current user context.
Image description

We now have the cleartext credentials from the Automation account and a private certificate that we can use to authenticate as the Run as account. Since the Contributor role is configured for the Run as account by default, this means we will likely have a persistent Contributor account in the subscription.

Additionally, if the Run as account is granted any additional roles beyond the default Contributor role, we may be able to use these credentials to escalate privileges or pivot to other subscription.

While it is less common, we have seen Run as accounts that are give Owner permissions on root management groups. In most cases, this is done to allow the Automation account to automate changes in all of the subscription at once. This allows anyone with Contributor access to that Automation account to inherit the root management group role and take over all of the subscriptions.

Reference
https://github.com/cheahengsoon/Penetration-Testing-Azure-for-Ethical-Hackers

Top comments (0)